Do to separation of duty requirements I have the need to grant some users only the ability to view reports and nothing else. I assumed that granting only the role "Reports - view_reports" to those users would accomplish this. Rather granting only that role also appears to grant the same permissions as "Hosts - view_hosts" as well. This is a problem because it exposes the yaml for the hosts which these view report users should not have access too.

I am filing this as a bug because I would assume a role named "Reports - view_reports" should only expose the reports functionality and not other functionality such as viewing the yaml for hosts.